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Abstract. The reachability analysis of recursive programs that communicate asynchro- 
nously over reliable FlFO channels calls for restrictions to ensure decidability. Our first 
result characterizes communication topologies with a decidable reachability problem re- 
stricted to eager runs (i.e., runs where messages are either received immediately after being 
sent, or never received). The problem is ExpTlME-complete in the decidable case. The 
second result is a doubly exponential time algorithm for bounded context analysis in this 
setting, together with a matching lower bound. Both results extend and improve previous 
work from |21| . 



Checking safety properties for distributed programs like client /server environments, peer- 
to-peer applications, or asynchronous programs on multi-core processors is a standard task 
in verification. However, it is well established that the automatic analysis of distributed 
programs is a quite challenging objective. 

A basic feature of the programs used in the applications mentioned above is that they 
need to exchange information asynchronously, over point-to-point channels that are un- 
bounded and reliable. Such information is used for instance to perform function calls on 
remote processes. This amounts to considering a model that combines recursion with asyn- 
chronous communication. Such a combined model is similar in spirit to, e.g., process rewrite 
systems [25], that mix recursion and Petri nets. We denote the combination of recursion 
and asynchronous communication as Recursive Communicating Processes (RCPS for short) 
here. The model has been recently studied by La Torre, Madhusudan, and Parlato [21], who 
were mainly interested in applying bounded context analysis to this setting. 

Since RCPS subsume the well-studied class of communicating finite-state machines [8], 
reachability is already undecidable without recursion. Moreover, it is well-known that reach- 
ability for pushdown systems that synchronize by rendezvous is undecidable as well [28] . 
Therefore, our main motivation was to separate these two sources of undecidability. We 
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consider here behavioral restrictions for which reachability for communicating finite-state 
machines is decidable, and then look under which conditions recursion can be added to the 
model. 

The reachability question for communicating finite-state machines can be tackled in 
three different ways, either by restricting the communication topology or by assuming that 
channels are lossy, or by considering only executions on channels of fixed size. In general, 
the last two approaches provide approximated solutions to the reachability problem. On 
the positive side, the last idea yields exact solutions in some special cases, either for certain 
restricted topologies (e.g., acyclic ones) or under certain behavioral restrictions on the 
communication (e.g., mutex communication, see below). 

As already mentioned, our starting point is the work of La Torre et al. [21]. They 
introduced a syntactic restriction on the combined use of channels and pushdowns, that 
prevents the synchronization of pushdowns leading to an undecidable reachability question. 
An RCPS is called well-queueing in |21j if pushdown processes can only read messages 
when their stack is empty (they can send messages without any restriction). Well-queueing 
expresses an event-based programming paradigm: tasks are executed by threads without 
interrupt, i.e., a thread accepts the next task only after it finished the current one. One 
of the results of |21| is that well-queueing RCPS have a decidable reachability problem if 
and only if the topology is a directed forest; in the decidable case, they provide a doubly 
exponential algorithm by a reduction to bounded-phase multi-stack pushdown systems |20j . 

We extend the results of [2T| in several directions. First, we add a dual notion to 
well-queueing: a pushdown process can send messages only with empty stack (but can 
read messages without restriction). This dual notion arises naturally if one wants to model 
interrupts: a server might need to accept tasks from high priority clients independently of 
the status of the running task. We use these two restrictions by fixing the type of each 
communication channel, to be either well-queueing or the dual notion. A communication 
topology, together with channel types, is called a typed topology. 

We give in Section [2] a precise characterization of those typed topologies for which the 
RCPS model has a decidable reachability problem over so-called eager runs. A run is eager 
if the sending of a message is immediately followed by its reception (if any). This notion 
is closely related to bounded communication |23| . Communicating finite-state machines 
with existential channel bounds, i.e., where each run can be reordered into a run over 
bounded channels, are a well-studied model enjoying good expressiveness and decidability 
properties [15^1 . Here, we simply use eager runs in order to rule out undecidability due 
to unbounded channels, since reachability for finite-state communicating machines over 
eager runs is decidable. We show that reachability of RCPS over eager runs is ExpTime- 
complete in the decidable case. Our result generalizes and improves the doubly exponential 
time decision procedure of [21] . which holds for topologies without undirected cycles (called 
poly forests) . 

The restriction to eager runs appears to be strong at a first glance. However, we show 
in Section [3] that it arises rather naturally, by imposing a behavioral restriction on the 
communication: the mutex restriction requires that in every reachable configuration there 
is no more than one non-empty channel per cycle of the network. In particular, RCPS 
over polyforest architectures are mutex. Mutex can also be seen as a generalization of the 
half-duplex restriction studied in [9]. 



Machines with the property that each run can be reordered into an eager one, are a special instance of 
existentially 1-bounded machines. Eagerness is related to a global channel bound [23] . 
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La Torre et al. propose in [21] a second approach to solve the reachability problem for 
RCPS, inspired by successful work on reachability with bounded contexts in the verification 
of concurrent Boolean programs |27| . They show that bounded-context reachability for well- 
queueing RCPS is decidable in time doubly exponential in the number of contexts. Again, 
this result is obtained by a reduction to bounded-phase multi-stack pushdown systems [20] . 
Our result in Section H] extends the bounded-context result of [20] to RCPS that allow 
for the two dual notions of well-queueing. Moreover, our algorithm is direct and simpler 
than the one involving bounded-phase multi-stack pushdown systems. We also provide a 
matching lower bound for the complexity. 

Related work. In the context of multi-thread programming, other notions of synchronization 
between pushdowns arise naturally. Earlier publications considered synchronization via 
shared memory, such as local/global memory in [Q [7j or bags in |29t I17j . The paper [6] 
showed that bounded-context reachability can be solved in exponential time, whereas [29] 
provided an exponential space lower bound for reachability with atomic methods (without 
context bounds). Also, synchronization in the form of state observation was considered 
in [3]. The latter model was shown to be decidable only for acyclic architectures, and is 
strongly related to lossy systems [TJ [H]. For the shared memory model, |18] shows how 
to reduce concurrent pushdowns to a single pushdown, assuming a priority preemptive 
scheduling policy. Lately, [30l [2] proposed a general strategy to reduce bounded-phase 
reachability questions on different multi-stack pushdown automata models to a single stack. 
This is close in spirit to our proof technique in Section [21 although we do not rely on a phase- 
bounded model for our first result. 



Given a set P and a P-indexed family of sets (S p ) p ^p, we write elements of the Cartesian 
product IlpGP S p in bold face. For any s in H P eP ^ p an d any p E P, we let s p € S p denote 
the p-component of s. Moreover, we identify s with the indexed family of elements (s p ) p6 p. 

An alphabet is any finite set of letters. Given an alphabet X, we write X* for the set of 
all finite words (words for short) over X, and we let e denote the empty word. 

A labeled transition system (LTS for short) A = (S, sj, A, — )►} is given by a set of states 
S, an initial state sx, an action alphabet A, and a (labeled) transition relation which 
is a subset of S x A x S. For simplicity, we usually write s s' in place of (s, a, s') G — >. 
The size of A is defined by \A\ = \S\ 2 • \A\ when S is finite. 

Throughout the paper we use standard complexity classes such as polynomial space 
(PSpace), deterministic exponential time (ExpTime), and deterministic doubly-exponential 
time (2-ExpTime). For detailed definitions the reader is referred to, e.g., |26j . 




1.1. Communication Topologies. In this paper, we consider processes from a finite set 
P, that communicate over point-to-point, error-free Fifo channels from a set C. They 
exchange messages over a given topology, which is simply a directed graph whose vertices 
are processes and whose edges represent channels: 

Definition 1.1. A topology T is a tuple (P, C, src, dst) where P is a finite set of processes, 
and C is a finite set of point-to-point channels equipped with two functions src, dst : C — >■ P 
that map every channel c £ C to a source src(c) € P and a destination dst(c) € P, such 
that src(c) ^ dst(c). 
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The size of T is defined by |T| = P + \C\. For each channel c G C, we write — > for 
the binary relation on the set of processes P defined by p A- q if p = src(c) and q = dst(c). 
We also use the undirected binary relation defined by p <H> q if p A q or g A p. 

An undirected path in T is an alternating sequence (po, c i,Pi, ■ ■ ■ , c n ,p n ), of processes 
Pi £ P and channels c« G C, such that pi-\ A> pj for all i. Moreover, the undirected path 
is called simple if the processes po, . . . ,p n are distinct. A simple undirected cycle in T is an 
undirected path (po,ci,pi, . . . ,c n ,p n ) with po = Pre such that pi, . . . ,p n are distinct, and 
ci, . . . , c„ are distinct. The topology T is called poly forest if it contains no simple undirected 
cycle. 

1.2. Communicating Processes. Consider a topology T = (P, C, src, dsi). Given a mes- 
sage alphabet M, we denote by Com p (T, M) the set of possible communication actions of 
a process p G P, defined by ComP(T, M) = {elm \ c G C, src(c) = p, m G M} U {c?to | c G 
C, efoi(c) = p, m G M}. As usual, c!to denotes sending message to into channel c, whereas 
c?to denotes receiving message m from channel c. Note that ComP(T, M) and Com q (T, M) 
are disjoint when p and g are distinct processes. 

Definition 1.2. A system of communicating processes ( CPS for short) Q = (T, M, {A p ) p ^p) 
is given by a topology T, a message alphabet M, and, for each process p G P, an LTS 
= (£P gP , A p , -> p ) such that: 

• the action alphabets ^4 P , p G P, are pairwise disjoint, and 

• A? om = A p n(Cx {!, ?} x M) is contained in Com p (T, M) for each p G P. 

Actions in Ac 0m are called communication actions of p, whereas = A p \A p om is the set 
of local actions. States s p G S p are called /oca/ stores of p. We write S = Y[ peP S p for 
the set of global states. Note that the sets S p , and hence S, may be infinite. Indeed, the 
local transition systems A p could be, for example, counter or pushdown systems. When S 
is finite, Q is called a finite CPS, and its size is defined by \Q\ = |T| + \M\ + ^ pg p \AP\. 

As usual, the semantics of CPS is defined in terms of a global LTS {X, x%, A, — >■}, where 
X = S x (M*) c is the set of configurations, x% = (sx, (e) c6 cO is the initial configuration, 
A = Upgp ^ p is ^e set of actions, and — s> Clxixlis the transition relation with 

(si,Wi) -A (s2,W2), where a G ^4 P , if the following conditions are satisfied: 

(i) s p A p ^2 and = s\ for all g G P with q ^ p, 

(ii) if a G A P oc then wi = W2, 

(iii) if a = c\m then toJj = w\ ■ m and u>2 = wf for all d G C with d ^ c, 

(iv) if a = c?m then m • w\ = w\ and wtj; = wf for all d G C with d^ c. 

Given a process p G P, we call move of p any transition x\ -A X2 with a G A p . A move is 
local if a G ^4 P 0C - 

A run in the LTS Q is a finite, alternating sequence p = (xo, a\, X\, . . . , a n , x n ) of 
configurations X{ G X and actions a« G A satisfying Xi-\ -^4 X{ for all z. We say that 
p is a run from xq to x n . The length of p is n, and is denoted by |p|. A run of length 
zero consists of a single configuration. The trace of a run p = (xq, a±, x±, . . . , a n , x n ) is the 
sequence of actions trace(p) = a± ■ ■ ■ a n . A pair of send/receive actions a« = elm, dj = elm 
is called matching in p if i < j and the number of receives on c within dj ■ ■ ■ dj equals the 
length of c in Xj . If p, p' are two runs such that the last configuration of p is equal to the 
first configuration of p' , then we write p ■ p' for their concatenation. 
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We define the order- equivalence relation ~ over runs as the finest congruence such 
that (xo,a,x\,b,X2) ~ (xo,b,x / 1 ,a,X2) whenever a, b are actions on different processes. In- 
formally, p ~ p' if they can be transformed one into the other by iteratively commuting 
adjacent transitions that (i) are not located on the same process, and (ii) do not form a 
matching send/receive pair. The following is easy to check: 

Fact 1.3. If p, p' are order-equivalent runs of a CPS, then they start in the same configu- 
ration and end in the same configuration. 

A configuration x S X is reachable in a CPS Q if there exists a run of Q from the 
initial configuration x% to x. We define the reachability set of Q as Reach(Q) = {x € X \ 
x is reachable in Q}. 

The state reachability problem for CPS asks, for a given CPS Q and a global state 
s € S, whether Reach(Q) intersects {s} x (M*) c . It is well-known that this problem is 
undecidable for finite CPS, even if we restrict the topology to two processes connected by 
two channels [8]. 



The undecidability of the state reachability problem for CPS is based on the fact that 
one cannot control how "fast" messages are received. A simple idea that rules out such 
behaviors is to consider only runs where the reception is immediate (if it exists): 

Definition 1.4. A run p = (xq, ai, x%, . . . , a n , x n ) is eager if for all 1 < % < n, if a, is a 
receive action then i > 1 and aj_i is its matching send action. 

Thus, each send action along an eager run is either immediately followed by its matching 
receive, or it is never matched. In the latter case, all later sends into the channel are never 
received, and we say that the channel is in its "growing phase". In the former case, the 
adjacent matched send/receive actions act like a rendezvous synchronization between the 
two processes. Formally, given a channel c 6 C, we call rendezvous on c any run (of length 2) 
p = (x, dm, x' , c?m, x") such that x = (s, w) with w c = e. The rendezvous involves process 
p if p € {src(c), dst(c)}. 

We introduce now the "eager" variants of the reachability notions presented previously. 
A configuration x E X is eager-reachable in a CPS Q if there exists an eager run from 
the initial configuration x% to x. The eager-reachability set of Q is the set Reach eag (Q) 
of eager-reachable configurations. We say that a CPS Q is eager when Reach eag (Q) = 
Reach(Q). In the next section, we show how eager CPS occur under some natural (and 
decidable) restrictions on cyclic communication. The simplest example arises over polyforest 
topologies. 

The state eager-reachability problem for CPS asks, for a CPS Q and a global state 
s £ S, whether Reach eag (Q) intersects {s} x (Af*) . It is readily seen that this problem is 
decidable for finite CPS in PSpace. 

Eager runs, modulo the fact that Definition 11.41 allows for runs which end in a sequence 
of (unmatched) send actions, are closely related to the notion of globally 1-bounded runs. 
Eager CPS subsume existentially globally 1-bounded communicating machines |23t 116] . 
However, as we will see in Section [3j it is undecidable whether a finite CPS is eager (in 
contrast, one can decide whether a finite, deadlock-free communicating machine is existen- 
tially globally 1-bounded |16j). On the positive side, Section [3] shows a decidable subclass 
of finite, eager CPS. 
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1.3. Recursive Communicating Processes. In the following we introduce RCPS to- 
gether with a symmetric version of the "well-queueing" restriction used in [21j . Informally, 
RCPS (recursive CPS) are CPS where each local transition system is a pushdown system. 

A well-queueing RCPS in [21] is one where a process can only receive when its stack is 
empty. Here, we dualize this concept by also allowing channels where the sender (but not 
the receiver) must have an empty stack. Well-queueing was motivated in [21] by the case 
where recursive processes need to finish their tasks before accepting new ones. Adding the 
dual notion of well-queueing is interesting when modeling interrupts: a recursive process 
may have to interrupt its current task to treat one with a higher priority, hence, it has to 
preserve its current state on the stack to return later. 

Definition 1.5. A typed topology (T,t) consists of a topology T, together with a type 
t C P x C, such that (p, c) G r implies p G {src(c), dst(c)}. 

Given a process p € P and a channel c G C, we call p restricted on c if (p, c) G r (and 
unrestricted otherwise). Informally, a communicating pushdown process p as defined below 
will be restricted on c if p's stack must be empty when communicating over channel c. 

Definition 1.6. A pushdown system T> = (Z,zx,A,A £ ,T,A) is given by a finite set Z of 
control states, an initial control state zx G Z, an alphabet A of actions, a subset A e C A, a 
stack alphabet V, and a transition relation A C Z x A x Z, such that ^4 contains the set 
Astack = {pushil): P°p(l) | 7 G T} of stack actions. 

We define the size of D by |2?| = |Z| 2 • Actions in A £ C yl\^4 S i ac fc are tests for empty 
stack. Naturally, for a pushdown system embedded in a CPS, the set of actions A \ A sta ck 
may contain communication (and local) actions. Depending on the typed topology, some 
communication actions may require an empty stack. This will be enforced by putting these 
communication actions in the set A £ . 

According to the informal description given above, we define now the semantics of 
pushdown processes. The semantics of V = (Z, z%, A, A £ , Y, A) is the LTS {S, sx, A, — >) 
with set of states S = Z x P, initial state sj = (zx,e), and (labeled) transition relation 
— > defined as expected: stack actions push{^) and pop (7) behave as usual (pop (7) blocks if 
the top of the stack is not 7), actions from A \ A stac k do not change the stack, and actions 
in A £ are possible only if the stack is empty. 

Definition 1.7. A recursive CPS (RCPS for short) K = (T,t,M, (D p ) peP ) is given by a 
typed topology (T, r), a message alphabet M, and, for each process p G P, a pushdown 
system VP = z p x , AP, A p £ , TP, A p ) such that: 

• the action alphabets A p , for p G P, are pairwise disjoint, 

• A p com = AP n (C x {!, ?} x M) is contained in Com p (T, M) for each p G P, and 

• A v £ D {elm G A p com I (p, c) G r } U {elm G A p com \ (p, c) G r} for each p G P. 

We associate with 1Z the CPS (T, M, (A p ) P £p) where, for each p G P, the LTS ^4 P is 
the semantics of the pushdown system T> p . The size of 1Z is defined by \1Z\ = \T\ + |M| + 

We write Z = O p eP ^ p for the set global control states. Abusing notation, a global 
state s of 1Z will also be written s = (z,u) where s p = (z p ,u p ) for each p G P. The state 
reachability problem for RCPS asks, for a given RCPS 1Z and a global control state z G Z, 
whether Reach(ll) intersects {z} x {U P ep( rP )*) x 0^*) C - The state eager-reachability 
problem for RCPS is defined similarly, using Reach eag (JZ) instead of ReachiJZ). 
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2. Topologies with Decidable State Reachability 



Several factors lead to the undecidability of the state reachability problem for RCPS. In 
particular, the model is already undecidable without any pushdown. Our goal in this section 
is a decidability condition that concerns the interplay between pushdowns and communica- 
tion, assuming that the communication is not the reason for undecidability. For this reason, 
we consider a restricted version of the state reachability problem, namely the one on eager 
runs. 

Definition 2.1. A typed topology (T,r) is called confluent if it contains a simple undi- 
rected path (po, ci,pi, . . . , c n ,p n ), with n > 1, such that po is unrestricted on c\ and p n is 
unrestricted on c n . 

Notice that non-confluence implies that every channel is either restricted at the source, 
or at the destination, or at both ends (see Figure [I]). 

We say that a typed topology (T, r) has a decidable RCPS state eager-reachability 
problem if the latter question is decidable for the class of RCPS with typed topology (T, r). 
We show in this section that the notion of confluence gives a complete characterization of 
typed topologies with respect to the decidability of the above problem. 

Theorem 2.2. A typed topology has a decidable RCPS state eager-reachability problem if 
and only if it is non- confluent. Moreover, the problem is ExpTime- complete in the latter 
case. 

The rest of the section is devoted to the proof of this theorem. We first show the 
undecidability result in the confluent case. 

Proposition 2.3. Every confluent typed topology has an undecidable RCPS state (eager-) 
reachability problem. 

Proof. Consider a typed topology (T, r) that is confluent. There is a simple undirected path 
Po Pi • • • Pn-i Pn satisfying the conditions of Definition 12.11 Since po is unrestricted 
on c\ and p n is unrestricted on c n: both may use their stack while communicating over the 
channels c\ and c n , respectively. Recall that checking non-emptiness of the intersection of 
two context-free languages is undecidable. To prove the lemma, we reduce this problem to 
the state eager-reachability problem for RCPS with typed topology (T,t). 

Given two context-free languages K and L over the alphabet {0, 1}, the process po 
guesses a word in K while p n guesses a word in L, and both processes check that they 
guessed the same word via synchronizations along the undirected path po p\ ■ ■ ■ p n -\ 
p n . Intermediate processes pi,...,p n _i do not use their stack, they simply convey the 




P 



o— restricted 
• unrestricted 




Figure 1: Examples of non-confluent typed topologies 
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% , The labeled transition system 

src(ci) 
dst(ci) 
src{c i+ i) 
dst(c i+ i) 

Similarly, the pushdown systems T> Po and T> Pn are obtained from pushdown automata 
accepting K and L, respectively, by replacing tape-reading actions with communications 
(ci > 0/1 for po and c n < 0/1 for p n ). 

Finally, we only need to make sure that the channels are empty at the end. As usual, 
this can be enforced by augmenting M with a new symbol $, and by sending and receiving 
$ on each channel c at the end of the simulation. 

The construction guarantees that the intersection K n L is non-empty if and only if 
there is an (eager) run in the RCPS from the initial configuration to a global control state 
where each process is accepting. □ 

We now focus on non-confluent typed topologies. Let us first prove the ExpTime lower 
bound of Theorem 12.21 

Proposition 2.4. The state eager-reachability problem for RCPS with non-confluent typed 
topology is ExpTime- hard. 

Proof. It is well-known (and probably folklore) that the following problem is ExpTime- 
complete: given a context-free language K and n regular languages Li, check the non- 
emptiness of K n P)j £j. The hardness follows easily by a reduction from linearly bounded 
alternating Turing machines. Actually, a closely related problem is shown to be ExpTime- 
hard in |12| . namely the reachability problem for pushdown systems with checkpoints. 

Notice that the intersection K n Hi-^ can be- simulated on the non-confluent, typed 
topology (T, t) where P = {p,q\, . . . , q n }, C = {c±, . . . , c n }, and, for each 1 < i < n, p m 
with p unrestricted on o L and qi restricted on a (see left part of Figure H]). That is, process 
p simulates a pushdown automaton accepting the context-free language K, whereas process 
qi simulates a finite-state automaton accepting Lj. Communication guarantees that the 
simulations use the same input word. As in the previous proposition, one needs to enforce 
the emptiness of the channels by using an extra symbol. □ 

Before considering the upper bound we need to introduce some vocabulary. Consider 
a run p = (xq, a%,xi,..., a n , x n ) of an RCPS 1Z. Given a process p G P, we say that p is 
well-formed for p if the projection of a\ ■ ■ ■ a n on A p stack is a Dyck word. This well-formedness 
condition merely stipulates that each push action of p in p is matched by a pop action, and 
vice versa. We call p well-formed if p is well-formed for each process p € P. For instance, 
every run that starts and ends with empty stacks is well-formed. A stronger condition is 
that of well-bracketing, which requires that push and pop actions for distinct processes must 
be nested recursively. Formally, we say that p = {xQ,a\,x\, . . . ,a n ,x n ) is well-bracketed if 
the following two conditions are satisfied: 

(1) the projection of a± ■ ■ ■ a n on the disjoint union \J peP A p stack is a Dyck word, and 



information about the common input guessed by po and p., 
A p \ 1 < i < n, is depicted below. 
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(2) for every process p and every h < i < j < k, if the pairs (a/^afc) and (ai,aj) 
are matching push/pop actions of p, then the sub-runs (x^-i, a^, Xh, • • • , aj, and 
(xj—ij Qj , Xj, • • • , Ofc, Xk) are well-formed for all q ^ p. 

Observe that if p ■ p' is defined, then p ■ p' is well- formed (resp. well-bracketed) if p and 
p' are both well- formed (resp. well-bracketed). Note also that well-formedness is preserved 
under order-equivalence: if p is well-formed and p ~ p' then p' is also well-formed. However, 
well-bracketing is not preserved under order-equivalence. 

The following proposition provides the main ingredient to show the ExpTime upper 
bound of Theorem 12.21 

Proposition 2.5. Given an RCPS 1Z with non-confluent typed topology, every eager, well- 
formed run in 1Z is order- equivalent to an eager, well-bracketed run. 

Proof. By induction on the length of runs. The basis is trivial. Consider a run p, of non-zero 
length, that is both eager and well-formed. We assume that p starts with a push action 
(otherwise, the existence of an order-equivalent run that is both eager and well-bracketed 
immediately follows by induction). Let a = push{^) denote the first action of p, and let p 
denote the process with a € A p . Let p' denote an order-equivalent eager run obtained from 
p by scheduling the actions of p as early as possible, while maintaining adjacent send/receive 
pairs. It is readily seen that p' may be written as: 

/ push{~ f ) , pop (7) / 

p = x > x ■ 7T • xx ■ 01 • TTi • • • Xn ■ o- n ■ n n ■ y > y ■ (1 

where the runs 7Tj, Xi an d satisfy the following conditions: 

(a) 7Tj consists of moves of process p which are either local actions or sends that are un- 
matched in p, 

(b) Xi contains no move of process p, 

(c) <7j is a rendezvous involving p, 

(d) the transitions x — — ^> x' and y V p ^'\ y' are matching stack actions (of process p), 

(e) for each 1 < i < n, the run Xi • °~i is not order-equivalent to a run of the form x\ ■ a\ ■ x'l 
where \x'i\ < \Xi\ an d a 'i i s a rendezvous involving p. 

The scheduling of p's actions as early as possible is expressed by condition (jej) (notice that 
o"j and o\ correspond to the same send/receive pair). 
We first show the following claim. 

Claim. For each 1 < i < n, all processes that move in x% have an empty stack at the start 
and end of Xi- 

To prove the claim, let us denote by Pi = {q±, ...,%} the set of processes that move 
in Xii ordered by their last occurrence in x%- Since the last action in Xi is performed by 
qk, we derive from (jej) that the rendezvous Oi is on a channel between p and qu- Now let 
1 < h < k. It follows from (jej) that the last action of qh in Xi is a communication action bh- 
We have two cases to consider: 

• bh is a send action: If there was no matching receive in p', then this send action could 
be scheduled after <jj, contradicting (jej). Hence, p' contains a matching receive, which, by 
eagerness, is the next action in p' . This matching receive is performed by a process q g 
with h < g. 
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• bh is a receive action: Since p' is eager, the matching send is the previous action in p'. 
This matching send is performed by a process q g . Moreover, we must have h < g since, 
otherwise, this matched send/receive pair could be scheduled after Uj, contradicting (jej). 
We obtain that, for every 1 < h < k, the last action of qh in Xi is a communication action 
over a channel Ch satisfying A- q g for some h < g < k. Let c& denote the channel of the 
rendezvous <7j, and recall that q^ A p. Observe that p is unrestricted on since, according 
to ([d]), the stack of p is non-empty in cij. As the typed topology of TZ is non-confluent, we 
derive that qh is restricted on Ch for each 1 < h < k, since there is a simple undirected path 
Qh ^ ' ' ' % ^ P for each /i. It follows that qh has an empty stack at the end of \%- 

We have thus shown that, for each 1 < i < n, all processes that move in Xi have an 
empty stack at the end of Xi- Now, recall that p' is well- formed since it is order-equivalent 
to p. Therefore, all processes that move in Xi a l so have an empty stack at the start of %j, 
which concludes the proof of the claim. 

It follows from the claim that each run x% is well-formed, so p is also well-formed. 
Since the runs Xi an d P are eager, we derive from the induction hypothesis that each Xi 
is order-equivalent to a run x\ that is both eager and well-bracketed, and, similarly, p is 
order-equivalent to a run p' that is both eager and well-bracketed. Replacing in p' each Xi 
by x[ an d p by p', yields a run p" ~ p that is both eager and well-bracketed (the second 
condition for well-bracketed runs is satisfied since the runs Xi contain no move of p) . This 
concludes the proof of the proposition. □ 

Well-bracketed runs in an (arbitrary) RCPS cannot exploit the full power of the multi- 
ple stacks. Indeed, the well-bracketing property ensures that the individual process stacks 
do not "interact" with each other: a single, global stack is sufficient to simulate the run. 
More precisely, given an RCPS TZ = (T, t, M, (V p ) p€P ), with V p = (Z p , 4, A p , T p , A p ) for 
each p G P, we construct a product pushdown system T>® that simulates the well-bracketed 
eager runs of TZ. Its set of control states is Z® = P x ([\ peP Z p ) x 2 P x 2 C . A control 
state (p, z, E, G) G Z® means that p is the active process, z is the current global control 
state, E is the set of processes that have an empty stack, and G is the set of channels that 
are "growing", i.e., for which no receive action is possible anymore. The stack alphabet of 
T>® is the disjoint union T® = [J pe pT p . The stack of T>® will be the concatenation of |P| 
words u p G (T p )* , one for each process p, where u p is empty if and only if p G E. 

Let us explain how the simulation of eager, well-bracketed runs works. First, an ac- 
tive process r is non-deterministically chosen, leading to the control state (r, (zj) pg p, P, 0). 
Then, T>® simulates the behavior of r as expected, using its stack as r would do, but also 
updates the set E accordingly. To simulate send actions c!m, T>® non-deterministically de- 
cides whether dm is actually part of a rendezvous on c (provided that c G), or will never 
be matched. In the former case, T>® simulates (in a single step) the rendezvous dm ■ elm. 
In the latter case, the channel c is added to the set G of "growing" channels. Moreover, in 
both cases, the communication is performed only if the typed topology allows it, which can 
be checked using the set E. 

The pushdown system may choose non-deterministically, at any time, to switch the 
active process to some process q. Since the run simulated by T>® is well-bracketed, either 
q's stack is empty (q G E) or the top stack symbol must belong to T q . Thus, T>® performs 
this check and then sets the active process to q. 

By construction, the pushdown system T>® simulates all runs of TZ that are both ea- 
ger and well-bracketed, and only those runs. Moreover, the size of T>® is bounded by 
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\K\°(\ p \-\ c \\ Since every RCPS can be easily modified in order to reach a given state with 
all stacks empty we obtain: 

Proposition 2.6. State eager-reachability of an RCPS of size n with non-confluent typed 
topology (T = (P,C),t) reduces in ExpTime to state reachability for a pushdown system 
of size n°(\ p \'\ c \\ 

Since the state reachability problem for pushdown systems is decidable in deterministic 
polynomial time, we obtain the upper bound: 

Proposition 2.7. The state eager-reachability problem for RCPS over a non-confluent 
typed topology is in ExpTime. 

3. Eager CPS and the Mutex Restriction 

The previous section showed how to decide the state eager-reachability problem provided 
that the topology behaves well w.r.t. pushdowns and communication. A first natural ques- 
tion is whether one can decide if eager runs suffice for solving the reachability problem. A 
second legitimate question is whether the restriction to eager runs is realistic. We answer 
to the first question negatively. However, on the positive side we show a restricted class of 
CPS where eager runs suffice: CPS over cyclic topologies with the mutex restriction. We 
focus in this section on CPS since the eager condition talks about communication only. 

Definition 3.1. A configuration x of a CPS Q is mutex if for every simple undirected cycle 
(po, c\,pi, . . . ,c n ,p n = po) in the topology of Q, at most one of the channels q is non-empty 
in x. A run p in Q is mutex if each configuration in p is mutex. 

A CPS Q is called mutex if every configuration reachable in Q is mutex. We show later 
in this section that the mutex property is decidable for finite CPS. Notice also that every 
CPS with polyforest topology is mutex. 

Before discussing mutex we first comment on the results of [21 J and explain their relation 
with Theorem 12.21 and Corollary 13.41 below. The latter paper shows that state reachability 
is decidable for finite CPS over polyforest topologies, and for well-queueing RCPS over di- 
rected forests. The proof of the result for RCPS relies on the idea that, on tree topologies, 
one can reorder runs such that the resulting run has a bounded number of contexts, where 
in each context only one process executes all its actions by reading on one unique incoming 
channel from its tree parent (and — in the case of RCPS — solely when its local stack is 
empty). Hence, the problem reduces to the control-state reachability for a bounded-phase 
multi-stack pushdown system, a question which was proven to be decidable in doubly ex- 
ponential time [20]. A simple channel reversal argument allows us to reduce the question 
for finite CPS over polyforest topologies to directed forests. 

We show in the following that mutex CPS are eager. This allows us to apply the re- 
sults of the previous section and to obtain the decidability of state reachability (for both 
finite CPS over polyforest topologies and well-queueing RCPS over directed forests) via 
a direct proof. Moreover, recall that the complexity of the algorithm of the previous sec- 
tion is ExpTime, so one exponential less than the results obtained in [20] for polyforest 
architectures. 
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Remark 3.2. Over a topology of two finite processes connected by two channels, mutex 
runs are referred to as "half-duplex communication". For these, it is known how to decide 
the reachability problem through an effective construction of the recognizable reachability 
set |10j . Quasi-stable systems are a semantic ad- hoc extension of this idea to finite CPS 
with larger, cyclic topologies [9]. 

Proposition 3.3. Given a CPS Q, every mutex run starting with empty channels admits 
an order- equivalent eager run. 

Proof. By induction on the length of runs. The basis is trivial. Consider a mutex run p 
of non-zero length, that starts with empty channels. In particular, each receive action in p 
has a matching send in p. We write P p C P for the (non-empty) set of all processes p that 
move in p. For each p £ P p , let e p denote the last action of p in p. If some e p is a local 
action, or a send action that is not matched in p, we may schedule it last, which preserves 
the run's mutex property, and derive the existence of an eager run p' ~ p by induction. 
Otherwise, for each p 6 P p , the action e p is a communication action that is matched in 
p, and we let c p denote the channel of e p . Note that each c p , for p € P p , is a channel 
between p and another process in P p , which we call its last peer. We may build an infinite 
sequence of processes in P p by picking an arbitrary process in P p and iteratively moving to 
its last peer. By the pigeonhole principle, there exist po, ... ,p n m P p , with n > 0, such that 
(po,c po , . . . ,Pn,c p „,po) is an undirected path in T and po, . . . ,p n are distinct. Moreover, 
we may assume w.l.o.g. that po is the process that moves last in p among {po, . . . ,p n }. To 
simplify notation, let us simply write e^ in place of e Pi , and c% in place of c Pi . Remark that 
the undirected path (po, Co, . . . ,p n , c n ,Po) must be a simple undirected cycle if Co ^ c\. 

Let us show that e±, eo is a pair of matching send/receive actions. Since po p\ and 
pi stops moving before po in p, the communication action eo, which is matched in p, must 
be a receive action eo = cq?too- We obtain that p is of the form: 



with no move of p\ in x' t an d no move of po,Pi in x" ■ It follows that Co is non-empty in 
y'. Since p is a mutex run, x' and y' are mutex configurations. If cq ^ c\, then Co is also 
non-empty in x' , hence c\ must be empty in both x' and y' , which is impossible since e\ is 
communication action on c\. Therefore, we get that cq = c\, and, hence, e\ is the last send 
action on Co in p. Since e\ is matched in p, it follows that e\ is the matching send of eo, 
which implies that e\ = colrriQ. 

We may now conclude the proof of the proposition. Recall that e\, eo are the last actions 
of p\ and po in p, respectively. Since e% = co!mo and eo = co?mo are matched, we may 
schedule ei,eo last. This leads to a run p' that is order-equivalent to p, and of the form: 



where the trace of p satisfies trace(p) = trace(x') ■ trace (x")- It follows from the previous 
trace equality that, for each configuration (s, w) occurring in p, there exists 

• either a configuration (s',w') in x" with w = w', 

• or a configuration (s',w') in x' such that w' c ° = w c ° ■ tuq and w' c = w c for all c ^ cq. 

In both cases, we derive that (s,w) is mutex since (s',w') is mutex. Therefore, the run 
p is mutex. Moreover, the run x is also mutex since it is a prefix of the mutex run p. 
We derive from the induction hypothesis that x ' M is order-equivalent to an eager run p'. 
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Replacing x • /i by // in p' yields a run p" ~ p that is eager. This concludes the proof of the 
proposition. □ 

Corollary 3.4. Every mutex CPS is eager. 

Remark 3.5. A closer look at the proof of Proposition 13.31 shows that the result still holds 
for the following weaker variant of the mutex property: a configuration x of a CPS Q is 
weakly mutex if for every simple undirected cycle (po,ci,pi, . . . ,c n ,p n ) in the topology of 
Q, at most one of the channels c±, c% is non-empty in x. 

We derive the following result as an immediate consequence of Corollary 13.41 The upper 
bound is obtained as an on-the-fly simulation: since we simulate eager runs we do not have 
to store any message, but keep track of growing channels. The lower bound follows from 
the non-emptiness test of the intersection of several regular languages. 

Proposition 3.6. The state reachability problem for finite, mutex CPS is PSPACE-complete. 

Remark 3.7. State reachability remains decidable for particular infinite-state mutex CPS. 
For example, if each local LTS is a Petri net (i.e., the CPS in question is a Fifo net [13J), 
then the state reachability problem reduces to the Petri net reachability problem, which is 
known to be decidable [24"1 [19]. 

We end this section by showing that, for finite CPS, the mutex property is decidable 
(unlike the eager one). 

Proposition 3.8. The question whether a finite CPS is mutex, is PSpace- complete. 

Proof. Assume that Q is not mutex and consider a run p of minimal length from x% to a 
configuration x that is not mutex. By minimality, all configurations in p up to x are mutex. 
Let x' be the predecessor of x in p. 

By Proposition 13.31 we can reach x' by an eager run p' (which is generated on-the-fly in 

PSpace) and test whether there exists in Q a transition x' x that violates the mutex 
condition for x. We guess p' in PSpace (see remark above) and check whether there exists 
a simple undirected cycle (po, c\,p\, . . . , c n ,p n ) in the topology of Q such that one channel 
Cj is non-empty in x' and the action elm would write on another channel of this cycle (i.e., 
c = Cj for some j ^ i). 

PSPACE-hardness follows, again, by reducing from the non-emptiness test of the inter- 
section of several regular languages. □ 

Proposition 3.9. The question whether a finite CPS is eager, is undecidable. 

Proof. We show a reduction from the universality problem for rational relations [5]. Given 
such a relation K C A* x B*, we ask whether K = A* x B*. Here, K is described by a 
finite automaton Ak over the alphabet AL) B. 

We describe a finite CPS over four processes, called po,---,P3, and four channels 
coi,cio,ci2,ci 3 satisfying p p 1 , p 1 ^ p , p p 2 , p p 3 - Process p is de- 
scribed in Fig. [2J The ingoing (outgoing, resp.) edges of Ak lead to the initial state (from 
the final states, resp.). Transition labels a € A in Ak are replaced by co2!a, and labels 
b £ B are replaced by co3!6. 

Process p\ is described in Fig. [3l The LTS A P2 = A P3 of processes P2,P3 consist 
of a single (initial) state without any transition. Therefore, when talking about "state 
components" below we only mention processes po,Pi- 
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co2 ] -a, c Q3 \b 



start 




Figure 2: Process po (a E A, b € B) 



start 




e 



Figure 3: Process p\ 

The only runs of the above CPS that cannot be reordered into an eager run are produced 
by po and p\ using all four $-transitions. The state component of these configurations is 
(2, 5). The channel contents are e for coi and cio, A* for C02 and B* for C03. Each of these 
configurations can be also reached by an eager run if and only if K = A* x B*. Q 

4. Bounded Phase Reachability 

Bounded-context reachability has shown to be a successful under-approximation method 
for the analysis of concurrent Boolean programs [27]. For RCPS, bounded-context reacha- 
bility allows us to attack the reachability problem from a different angle than in Section [2J 
In this section, we neither restrict the typed topology, nor constrain the runs to be eager 
(or mutex). The price to pay is a (strong) restriction on the form of the possible runs, 
namely a bounded number of switches between processes (i.e., phases). Our construction 
subsumes the 2-ExpTime algorithm for bounded-context reachability of well-queueing re- 
cursive communicating processes, as described in [21] . Recall that the latter algorithm is 
based on a reduction to bounded-phase reachability for multi-stack systems. In contrast, 
our construction below is direct and simpler. 

A phase of an RCPS is a run consisting of moves of a unique process, called the phase 
process. In order to get decidability results one needs to introduce further restrictions over 
the communications performed during a phase. The first, obvious, restriction is on the 
typed topology (T, r): for every channel c, either the source or the destination process is 
restricted on c. Moreover, we assume for simplicity that for each channel c, one of the 
two processes is unrestricted on c. The second type of restriction concerns the kind of 
communication a process is allowed to perform during a phase, and is defined by two (dual) 
types of phases, called mux-phases and demux-phases, respectively. 

Let c be a channel with source process p that is restricted on c. A phase of process p 
is a mux-phase (with channel c) if the allowed communication for p is either sending into c, 
or receiving on channels d such that the source process is restricted on d, see also Figured! 
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Q ^* x » C C 

o— restricted 

" •— unrestricted ° 

Figure 4: Phases of an RCPS: mux (on the left) and demux (on the right) 

Dually, let c be a channel with destination p that is restricted on c. A phase of process p is 
a demux-phase (with channel c) if the allowed communication for p is either receiving on c, 
or sending on channels d such that the destination process is restricted on d. Demux-phases 
are precisely the phases/contexts used by [21] . 

A run p of an RCPS is said to be k-bounded, if it can be decomposed as p = p\ • ■ ■ pp, 
where each pj is a mux- or demux-phase. A configuration x E X is k -bounded-reachable 
in a RCPS 1Z if there exists a /^-bounded run of 1Z from the initial configuration x% to 
x. We define the k -bounded-reachability set of 1Z as Reachk(lZ), the set of x € A" that are 
A;-bounded-reachable in 1Z. The state bounded-reachability problem for RCPS asks for a 
given RCPS 7Z, a global control state z £ Z and an integer A; (in unary encoding), whether 
Reach k (K) intersects {z} x (]lp£p( rP )*) x {M*) c . 

In the remainder of this section we will use an extended version of phases, still denoted 
as phase for convenience. A phase (ft = (p,D,zf) will consist, as previously, of a phase 
process p G P and a pushdown system V = (Z, zi, A, A e , T p , A) as in Section fOl (which 
may be, e.g., the pushdown system of process p in the RCPS, up to changing the initial 
state). In addition we specify a (control) state zp G Z % which will be the target state 
of the phase. A phase is said to be local if A com is empty. The size \(p\ of a phase <p is 

the number of control states of T>. We associate with a phase <p the binary relation 

over (ripep(r p )*) x {M*) c , defined by (u/,V/) A (uf,v_f) if there exists a run from the 
configuration (zj ,uj ,vj) to the configuration (zp, up, vp) in the RCPS obtained by fixing 
the processes q ^ p to the trivial pushdown system with one state and no transition and the 
process p to the pushdown system V. A sequence $ = (0i, . . . , of mux- or demux-phases 
is called an md-sequence. Such a sequence is said to be satisfiable if the following relation 
holds: 

((e)pgP, (e)cec) ^ ((e) P eP, (e)cec) 

The size of an md-sequence <3? = (c/r, . . . , 0&) is |$| = |0i| + • • • + \(/>k\- 

We will decide the satisfiability of md-sequences by reducing the problem to sequences 
of local phases. The reduction is performed by replacing one by one (de) mux-phases by 
local phases. We introduce a preorder over md-sequences, that will decrease during the 
reduction. Let us first define the preorder C over phases by letting C tp if phases (ft and 
tjj have the same phase process and the communication actions of (j) are included in the 
communication actions of ip. This preorder is extended component- wise over md-sequences 
by letting (4> 1 , . . . , <f) k ) C (V>i, . . . , ipk) if 4>j E ^ for every j. 

Proposition 4.1. Let <I> = (0i, . . . , (j)^) be an md-sequence with at least one non-local phase. 
We can compute a finite set F of md-sequences with \F\ < \&\ k in time 0(\F\) such that 
$ is satisfiable if and only if F contains a satisfiable md-sequence, and such that for every 
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• |*| < 2|$| 2 

• \E' C <J> and there exists j such that ipj is local whereas 4>j is not local. 

Proof. Since contains at least one non-local phase, there exists a maximal index j such 
that <j>j is demux non-local, or there exists a minimal index j such that (f>j is mux non- 
local. We first explain why these two cases are symmetric. Given a phase (j) = (p,T>,zf) 
where V = (Z, zi, A, A e , T, A), let (f> = (p,V,zj) be the phase with V = {A, zp, A, A e , A) 
the pushdown system obtained from T> by reversing the channels, exchanging push/pop 
actions and send/receive actions, and reversing the transition relation. We observe that 

(u,v) (u',v') if and only if (u',v') A- (u, v). In particular ((f>i, . . . , is satisfiable if 
and only if (^, . . . , <j)i) is satisfiable. Since <p is a mux (resp. demux) phase if and only if <p 
is a demux (resp. mux) phase, we obtain that the two cases above are symmetric. Thus, in 
the remainder of this proof we assume that there exists a maximal index j such that <pj is 
a non-local demux-phase. 

Let 4>j = (p,T>,zp) and V = (Z, zj , A, A e ,T, A) be the pushdown system of <pj. Since 
4>j is a demux-phase, messages are received from a unique channel, say c. Moreover, process 
p is restricted on this channel. Let us define the md-sequence 3> e from by removing 
communication actions in the j-th phase. 

In the sequel, we show how to build md-sequences = (</>J, . . . , </>£), where ^ is 
parametrized by a sequence tt = (z r ) s < r <j of control states z r £ Z with s < j. Each 
sequence $> n is such that ^ C with c^J a local phase. In order to obtain a local phase 
0J, i.e., a phase without any communication action, all communications with the pushdown 
system T> are simulated in the phases (j) s , . . . , <j)j. Here, the integer s is the index of the first 
phase that sends messages into channel c, that are received in the j-th phase. We show 
below that $ is satisfiable if and only if & £ or <3? 7r is satisfiable for some sequence ir. 

The state sequence tt = (z r ) s < r <j provides checkpoints of the simulation of V during 
the phases (j) s , . . . , <j)j. In particular, states z r € Z in ir will be assumed by process p with 
empty stack, and the communication on channel c during phase r takes place between state 
z r and state z T+ \. 

Since p is restricted on channel c, it receives messages from c in the j-th phase with 
empty stack. Moreover, by the choice of j and the fact that a satisfiable md-sequence 
must end with empty channels, process p sends no message during phase j (otherwise, 
there would exist some demux, non-local phase after j, namely one where such messages 
would be received). By a well-known saturation algorithm we can compute in polynomial 
time (see for example [11]) from T> the set R of pairs of control states (z,z') E Z x Z 
such that there exists an execution of V, consisting of stack actions and local actions only, 
from (z,e) to (z',e), (i.e., from empty stack to empty stack). Let 4> r = (q r ,T> r ,tF, r ) where 
T> r = (T r , tj^ r , A, r, A r ) with s <r < j. 

We first provide the definition of <f>* with s < r < j . Recall that ir = (z r ) s < r <j. The 
pushdown system T>^ is obtained by considering \Z\ many copies of T> r . Control states 
of these copies are identified by pairs (t, z) G T r x Z. In these copies, actions that send 
messages to the channel c are directly matched with actions that receive messages in T>. 
More formally for every (t, dm, t') € A r and (z, c?m, z') € A we add a local action from 
(t,z) to (t',z'). We also add transitions that simulate the effect of the stack of V. More 
precisely we add a local action from (t, z) to (i, z') for every t £ T r and for every (z, z') € R. 
The initial state tj^ r and the final state tp r are replaced by (tj^ r ,z r ) and (tp^, z r+ \), resp. 
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The definition of follows almost the same construction except that we should take 
into account the fact that in this phase we first perform moves that potentially send messages 
in c and then non-deterministically we start to simulate the pushdown system T>. The 
difference is due to the fact that some messages into channel c can be received during some 
phase before the j'-th one. The simulation is performed with the construction presented in 
the previous paragraph. However we keep in T>™ the original pushdown system T> s and we 
add a local action from t to (t,z s ) for every t E T r . The initial state ti jS is left unchanged 
and the final state t St p is replaced by (t Si p, z s+ i). 

The definition of is obtained by a simpler construction. Since messages received 
from c are simulated in the previous phases, we can remove the communication actions of 
T>. Since the j-th phase may start or end with non-empty stack, we need in addition an 
extra copy of T> (also without communication actions). The copy of a control state z is 
denoted by z. We then add a local action from z s to Sj with the empty stack guard, i.e., 
this local action belongs to A e . This action accounts for the simulation of T> between state 
z s and state Zj. Moreover, the initial control state zj is left unchanged and the final state 
is replaced by zp. 

Finally, the phases ffi with r < s or r > j are equal to <f> r . We observe that <I> 
is satisfiable if and only if <I> e is satisfiable or there exists a sequence tt such that <& n is 
satisfiable. Defining F as the set of md-sequences & n and the additional md-sequence $ e 
concludes the proof. □ 

Corollary 4.2. The satisfiability of an md-sequence of length k can be checked in time 
doubly exponential in k (but polynomial in the size of $ ). 

Proof. Since the reduction introduced by applying Proposition 14.11 transforms at least one 
non local phase into a local one, after at most k steps we obtain a finite set F of local phases. 
Moreover an immediate induction based on Proposition 14.11 also shows that every * € F 
has size |*| < 2 fc |$| 2 \ The size of F can be bounded by the number of leaves of a tree of 
height k with rank bounded by (2 k \<fr\ 2k ) k . Thus \F\ < ((2 k \^\ 2k ) k ) k . The satisfiability of 
a sequence f £ F can be performed in time 0(|'I / | 2 ), since the empty stack control state 
reachability problem for pushdown systems is decidable in polynomial time. We conclude 
that the satisfiability of an md-sequence can be checked in 2-ExpTime, but polynomially 
in |$| when k is fixed. □ 

Theorem 4.3. The state bounded-reachability problem for RCPS with typed topology such 
that each channel is restricted at least at one extremity, is 2-~ExpTiME-complete. If the 
number of phases and the typed topology are not part of the input, the problem can be solved 
in polynomial time. 

Proof. For the upper bound we can assume w.l.o.g. that we reach the target control state 
with all stacks and channels empty. For this, we can choose non-deterministically the push 
actions that will not be matched and, for each channel, the first message that will be no 
longer received. The bound follows then from Corollary 14.21 

For the lower bound we can adapt proof ideas from [3J [22] , by showing how to simulate 
alternating Turing machines M of exponential space by RCPS with typed topology as in 
the statement of the theorem. If the space bound of M is 2 k we use O(k) processes, called 
po and pi, q°, qf, 1 < i < k. Process po is the only one using a stack, storing an accepting 
computation tree of M. We will not go into the details how to encode the tree (it is the 
usual depth-first traversal of the tree, plus appropriate encoding of transitions), see e.g. [3] 
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for details. Instead we explain now how to check that the contents of the stack of po is a 
word of the form (w#) m for some w € {0, l} 2 and m > 0. 

In the first phase, process po empties its stack and while doing this, sends the following 
to qf,qf: 

• q°: every symbol of w at an odd position, 

• qf: every symbol of w at an even position. 

Assuming that the stack content of po is • • • w m #, the outgoing channels of po will 
contain after this first stage, the following words (u° and u e denotes the subword of u at 
odd and even positions, respectively): 

. wf# •••#<# for (po,tf), 

• wf# ■ ■ • #u4# for (po, <?!)• 

In the second and third phase, process q°, and then qf, receives from pq and resends each 
message to p\. In phases 4 and 5, process p\ receives • • • j^w° m j^ from q°, and then 
w i#' , '# u; m# from qf. In each of these phases p\ resends to q% and q\ its odd/even 
subwords as po above, adding a separator $ between the two halves. So process p\ acts 
basically like po, but on "input" of the form ■ ■ ■ #Wm#$wf# ■ ■ ■ #u^#, where one has 
to check equality for words of length 2 k ~ 1 : w° = ■ ■ ■ = and wf = ■ ■ ■ = w e m , respectively. 
This procedure is iterated up to process pp., that simply checks that it receives two words 
from q°,q e k of the form ((0#0# + 1#1#)$+)*. 

The above proof for stack contents of the form w#w# ■ ■ ■ wj^ for some w £ {0, l} 2 , 
is of course a special case of the Turing machine simulation, however it captures the main 
idea. For the Turing machine it is readily seen how to extend the proof to a sequence of 
configurations u>i#W2# • • ■ Wk#, where Wi + \ is the successor configuration of Wi. Here, it 
helps to see each w\ as a sequence of 3 tape symbols, i.e., each position stores the current 
symbol, plus its neighbors. In addition, one encodes the transitions leading from Wi to ttfj+i, 
say after each For the final check, process p^ will check that the first triple is consistent 
with the middle symbol of the second triple. □ 



5. Conclusion 

Applications. CPS combine an automata-based local process model with point-to-point 
communication, which results in an intuitive and simple framework. 

Since we subsume well-queueing RCPS, we also inherit their application domains, e.g., 
event-based programs. The dual restriction to well-queueing (i.e., that sending on a channel 
is only possible if the stack is empty) covers, e.g., "interrupt based" programming models, 
i.e., threads that can receive messages while still in recursion, as well as extended sensor 
networks where peers can collect and send data while using their pushdown for computa- 
tions. 

Figure [5] shows an example for non-confluent typed topologies that are on the rise with 
the current focus on distributed computing. The topology corresponds to a hierarchical 
overlay network as implemented, for example, in master-worker protocols. Intuitively, each 
master distributes tasks to its workers and uses their results during its own computation. 
When the latter is finished, i.e., when its stack is empty, the master sends a result to its own 
master. Therefore, channel restrictions respect the hierarchy: channels between a master 
and a worker must be restricted on the worker's side. In fact, our generic non-confluence 
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Figure 5: Non-confluent typed topology in a hierarchical master-worker setting 

criterion permits additional communications: workers of the same master may communicate 
with each other via channels on which they are restricted (e.g., ps and pe), and we may 
have a communication cycle between top-level masters (e.g., p\ and p<i). Notice also the use 
of the dual notion to well-queueing, when sending information from lower to higher levels. 

Proposition 13.31 allows for further applications, since it does not assume that the CPS 
is finite: we can combine locally decidable models for multi-threaded programs (with or 
without local data), as well as local event-based programs together with eager (or mutex) 
communication architectures; natural candidates for local models would be Petri Nets, well- 
structured transition systems [13], or multi-set pushdown systems |29j . 

Summary. We discussed in detail the class of eager RCPS (as well as mutex CPS) which 
both generalize the current lineup of decidable models for asynchronously communicating 
pushdown systems. Further, we presented an optimal decision procedure for eager RCPS 
over non-confluent architectures in ExpTime, as well as a direct and simpler construction 
for bounded phase reachability for RCPS. 

Outlook. This paper dealt with the most basic form of verification, namely control-state 
reachability. More general reachability questions (w.r.t. configurations) may be interesting 
to consider. Further decision problems for CPS, like boundedness or liveness, will be 
investigated in future work. 
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